[wglb]

I get the impression that the anti many eyes sentiment comes largely from non-programmers, am I wrong about that?

I can only speak for myself. I am a long-time programmer and security professional and I argue against the "many eyes" sentiment.

A significant portion of the projects that I assess code on I don't have the source. And yes, I find security-relevant bugs in that code.

There are claimed black boxes and "open" black boxes. On a linux system, do a "top" and tell me how many of those hundreds of open source programs the eyeballs have actually looked at and can testify to the absence of bugs or presence of trustworthiness?

[Joeri]

Realistically, there is so much code in a linux system it takes a lifetime to review it all yourself. So, you end up putting your trust in the code reviews of random people on the internet. Is that better than putting your trust in BigCorp? I used to think so, but i'm not so sure anymore because i don't see substantiation of the claim that open source is more secure. I see similar volumes of security issues in open source and closed source, and i don't see that ratio changing over time, which is what the many eyeballs theory would suggest.

Sure, the many eyeballs theory is appealing, but it seems more aspirational than actual.

[bad_user]

A government institution does have the resources to review every single application they use, should they want to.

You're also missing that often BigCorp gets more involved in open-source than random individuals. Microsoft for example is said to be the fifth largest contributor for Linux 3.0, speaking of which Red Hat, IBM and Google are regulars and now Samsung too.

Fun fact, did you know that SELinux, one of the most advanced modules for access control, was originally developed by the NSA? Yup, a little ironic, but we can use it because it is open-source and because it has been reviewed.